<html>
<head><meta charset="utf-8"><title>FFI-unwind design meeting · t-lang · Zulip Chat Archive</title></head>
<h2>Stream: <a href="https://rust-lang.github.io/zulip_archive/stream/213817-t-lang/index.html">t-lang</a></h2>
<h3>Topic: <a href="https://rust-lang.github.io/zulip_archive/stream/213817-t-lang/topic/FFI-unwind.20design.20meeting.html">FFI-unwind design meeting</a></h3>

<hr>

<base href="https://rust-lang.zulipchat.com">

<head><link href="https://rust-lang.github.io/zulip_archive/style.css" rel="stylesheet"></head>

<a name="188826086"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/213817-t-lang/topic/FFI-unwind%20design%20meeting/near/188826086" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> BatmanAoD (Kyle Strand) <a href="https://rust-lang.github.io/zulip_archive/stream/213817-t-lang/topic/FFI-unwind.20design.20meeting.html#188826086">(Feb 22 2020 at 17:37)</a>:</h4>
<p><span class="user-group-mention" data-user-group-id="1977">@T-lang</span> The project-FFI-unwind group has decided that we need to delay the design meeting that was scheduled for Monday, because we want to give the broader community at least a week or so of advance notice (so people can plan to attend if they're interested) and so that you and anyone interested in attending will have time to consider the proposals we're surfacing prior to the discussion.</p>
<p>Towards that end, we've prepared a blog post that will be ready to post as soon as we have settled on a date; please feel free to read it and start providing feedback/thoughts. <a href="https://github.com/rust-lang/project-ffi-unwind/blob/master/blogposts/inside-rust/01-announcement.md" target="_blank" title="https://github.com/rust-lang/project-ffi-unwind/blob/master/blogposts/inside-rust/01-announcement.md">https://github.com/rust-lang/project-ffi-unwind/blob/master/blogposts/inside-rust/01-announcement.md</a></p>



<a name="188826298"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/213817-t-lang/topic/FFI-unwind%20design%20meeting/near/188826298" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> BatmanAoD (Kyle Strand) <a href="https://rust-lang.github.io/zulip_archive/stream/213817-t-lang/topic/FFI-unwind.20design.20meeting.html#188826298">(Feb 22 2020 at 17:42)</a>:</h4>
<p>For scheduling the meeting, I would like to make sure we pick a date when <span class="user-mention" data-user-id="237472">@acfoltzer</span>, <span class="user-mention" data-user-id="116009">@nikomatsakis</span>, <span class="user-mention" data-user-id="143274">@Amanieu</span> , and I are all available, and preferably <span class="user-mention" data-user-id="132920">@gnzlbg</span> , <span class="user-mention" data-user-id="239881">@Josh Triplett</span> , <span class="user-mention" data-user-id="120791">@RalfJ</span> , and <span class="user-mention" data-user-id="126931">@centril</span> as well.</p>



<a name="188871230"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/213817-t-lang/topic/FFI-unwind%20design%20meeting/near/188871230" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> boats <a href="https://rust-lang.github.io/zulip_archive/stream/213817-t-lang/topic/FFI-unwind.20design.20meeting.html#188871230">(Feb 23 2020 at 14:33)</a>:</h4>
<p>Question: why is unwinding through a frame without running destructors undefined behavior?</p>



<a name="188875716"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/213817-t-lang/topic/FFI-unwind%20design%20meeting/near/188875716" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> RalfJ <a href="https://rust-lang.github.io/zulip_archive/stream/213817-t-lang/topic/FFI-unwind.20design.20meeting.html#188875716">(Feb 23 2020 at 16:57)</a>:</h4>
<p>it's not UB but it's unsound (so probably this is just imprecise terminology)</p>



<a name="188875719"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/213817-t-lang/topic/FFI-unwind%20design%20meeting/near/188875719" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> RalfJ <a href="https://rust-lang.github.io/zulip_archive/stream/213817-t-lang/topic/FFI-unwind.20design.20meeting.html#188875719">(Feb 23 2020 at 16:57)</a>:</h4>
<p>the reason it's unsound is e.g. that it can be used to violate the pin-drop guarantee</p>



<a name="188875774"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/213817-t-lang/topic/FFI-unwind%20design%20meeting/near/188875774" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> RalfJ <a href="https://rust-lang.github.io/zulip_archive/stream/213817-t-lang/topic/FFI-unwind.20design.20meeting.html#188875774">(Feb 23 2020 at 16:59)</a>:</h4>
<p>as for the meeting, better schedule without me as I am fairly busy -- I dont have high stakes in this (the only reason I am involved at all is that I think the current situation [unwinding being UB but us not inserting abort-on-panic shims] is bad and we should do literally anything else^^). once you found a time, if it works out I may join, but if it doesn't that's okay too.</p>



<a name="188876829"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/213817-t-lang/topic/FFI-unwind%20design%20meeting/near/188876829" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Amanieu <a href="https://rust-lang.github.io/zulip_archive/stream/213817-t-lang/topic/FFI-unwind.20design.20meeting.html#188876829">(Feb 23 2020 at 17:33)</a>:</h4>
<p>This can happen when we emit LLVM <code>nounwind</code> attributes, which can cause destructors to be optimized away as dead code since LLVM assumes they are unreachable. Since this behavior depends on the optimization level, you will end up with a program that behaves differently depending on optimization, which is a clear sign of undefined behavior.</p>



<a name="188880349"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/213817-t-lang/topic/FFI-unwind%20design%20meeting/near/188880349" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> BatmanAoD (Kyle Strand) <a href="https://rust-lang.github.io/zulip_archive/stream/213817-t-lang/topic/FFI-unwind.20design.20meeting.html#188880349">(Feb 23 2020 at 19:14)</a>:</h4>
<blockquote>
<p>Since this behavior depends on the optimization level, you will end up with a program that behaves differently depending on optimization, which is a clear sign of undefined behavior.</p>
</blockquote>
<p>Hm, I'm not sure that's UB, exactly. It does not appear to imply "literally anything can happen."</p>



<a name="188881561"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/213817-t-lang/topic/FFI-unwind%20design%20meeting/near/188881561" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> nagisa <a href="https://rust-lang.github.io/zulip_archive/stream/213817-t-lang/topic/FFI-unwind.20design.20meeting.html#188881561">(Feb 23 2020 at 19:43)</a>:</h4>
<p>unwinding through nounwind is UB and anything can bappen.</p>



<a name="188884323"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/213817-t-lang/topic/FFI-unwind%20design%20meeting/near/188884323" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> BatmanAoD (Kyle Strand) <a href="https://rust-lang.github.io/zulip_archive/stream/213817-t-lang/topic/FFI-unwind.20design.20meeting.html#188884323">(Feb 23 2020 at 21:01)</a>:</h4>
<p><span class="user-mention" data-user-id="123586">@nagisa</span> Ah, right, yes; we discussed whether LLVM's spec might be overly-scrupulous in this regard, but in fact that is what it says.</p>



<a name="188885804"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/213817-t-lang/topic/FFI-unwind%20design%20meeting/near/188885804" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Amanieu <a href="https://rust-lang.github.io/zulip_archive/stream/213817-t-lang/topic/FFI-unwind.20design.20meeting.html#188885804">(Feb 23 2020 at 21:47)</a>:</h4>
<p><span class="user-mention" data-user-id="123586">@nagisa</span> Is there an exception to this rule if there are no destructors in the frame you are unwinding? I strongly expect so, otherwise <code>longjmp</code> on Windows (which uses unwinding) would be UB.</p>



<a name="188885820"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/213817-t-lang/topic/FFI-unwind%20design%20meeting/near/188885820" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Amanieu <a href="https://rust-lang.github.io/zulip_archive/stream/213817-t-lang/topic/FFI-unwind.20design.20meeting.html#188885820">(Feb 23 2020 at 21:48)</a>:</h4>
<p>(obviously you need <code>uwtable</code> for this to work, which is enabled by default on Windows)</p>



<a name="188885861"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/213817-t-lang/topic/FFI-unwind%20design%20meeting/near/188885861" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> nagisa <a href="https://rust-lang.github.io/zulip_archive/stream/213817-t-lang/topic/FFI-unwind.20design.20meeting.html#188885861">(Feb 23 2020 at 21:48)</a>:</h4>
<p>LLVM docs don’t mention any, but I imagine that there might be some platform-specific definedness. Everything on windows is unwinding after all. Including aborting etc. too</p>



<a name="188885876"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/213817-t-lang/topic/FFI-unwind%20design%20meeting/near/188885876" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> nagisa <a href="https://rust-lang.github.io/zulip_archive/stream/213817-t-lang/topic/FFI-unwind.20design.20meeting.html#188885876">(Feb 23 2020 at 21:49)</a>:</h4>
<p>Or it could be the case that frontends are expected to just never attach nounwind to anything when generating Windows code.</p>



<a name="188885917"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/213817-t-lang/topic/FFI-unwind%20design%20meeting/near/188885917" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> nagisa <a href="https://rust-lang.github.io/zulip_archive/stream/213817-t-lang/topic/FFI-unwind.20design.20meeting.html#188885917">(Feb 23 2020 at 21:50)</a>:</h4>
<p>not too sure which way it is.</p>



<a name="188920114"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/213817-t-lang/topic/FFI-unwind%20design%20meeting/near/188920114" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> RalfJ <a href="https://rust-lang.github.io/zulip_archive/stream/213817-t-lang/topic/FFI-unwind.20design.20meeting.html#188920114">(Feb 24 2020 at 12:15)</a>:</h4>
<p><span class="user-mention" data-user-id="143274">@Amanieu</span> that sounds like UB caused by incorrect <code>nounwind</code>, which is not the same as the original question</p>



<a name="188920191"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/213817-t-lang/topic/FFI-unwind%20design%20meeting/near/188920191" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> RalfJ <a href="https://rust-lang.github.io/zulip_archive/stream/213817-t-lang/topic/FFI-unwind.20design.20meeting.html#188920191">(Feb 24 2020 at 12:16)</a>:</h4>
<p>I think I saw statements by <span class="user-mention" data-user-id="132920">@gnzlbg</span> that SJLJ "unwinding" on Windows is not considered "unwinding" for LLLVM <code>nounwind</code>... but I might misremember</p>



<a name="188930724"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/213817-t-lang/topic/FFI-unwind%20design%20meeting/near/188930724" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> nikomatsakis <a href="https://rust-lang.github.io/zulip_archive/stream/213817-t-lang/topic/FFI-unwind.20design.20meeting.html#188930724">(Feb 24 2020 at 14:32)</a>:</h4>
<p>OK, so,  we're going to cancel the ffi-unwind design meeting today? I'll update the calendar, and here is a doodle for folks to try and schedule a follow-up: <a href="https://doodle.com/poll/d9xevh43spf6rx8n" target="_blank" title="https://doodle.com/poll/d9xevh43spf6rx8n">https://doodle.com/poll/d9xevh43spf6rx8n</a></p>
<p>(cc <span class="user-mention" data-user-id="237472">@acfoltzer</span> <span class="user-mention" data-user-id="143274">@Amanieu</span> <span class="user-mention" data-user-id="120076">@Kyle Strand</span> <span class="user-mention" data-user-id="132920">@gnzlbg</span> <span class="user-mention" data-user-id="239881">@Josh Triplett</span> <span class="user-mention" data-user-id="126931">@centril</span> on the doodle above.)</p>



<a name="188935410"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/213817-t-lang/topic/FFI-unwind%20design%20meeting/near/188935410" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> centril <a href="https://rust-lang.github.io/zulip_archive/stream/213817-t-lang/topic/FFI-unwind.20design.20meeting.html#188935410">(Feb 24 2020 at 15:22)</a>:</h4>
<p><span class="user-mention" data-user-id="116009">@nikomatsakis</span> is the meeting today cancelled then?</p>



<a name="188935741"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/213817-t-lang/topic/FFI-unwind%20design%20meeting/near/188935741" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> nikomatsakis <a href="https://rust-lang.github.io/zulip_archive/stream/213817-t-lang/topic/FFI-unwind.20design.20meeting.html#188935741">(Feb 24 2020 at 15:26)</a>:</h4>
<p>I think so, let me update the calendar</p>



<a name="188935893"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/213817-t-lang/topic/FFI-unwind%20design%20meeting/near/188935893" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> centril <a href="https://rust-lang.github.io/zulip_archive/stream/213817-t-lang/topic/FFI-unwind.20design.20meeting.html#188935893">(Feb 24 2020 at 15:28)</a>:</h4>
<p>cheers</p>



<a name="188938824"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/213817-t-lang/topic/FFI-unwind%20design%20meeting/near/188938824" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> acfoltzer <a href="https://rust-lang.github.io/zulip_archive/stream/213817-t-lang/topic/FFI-unwind.20design.20meeting.html#188938824">(Feb 24 2020 at 16:01)</a>:</h4>
<p>Thanks for the heads up!</p>



<a name="188941260"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/213817-t-lang/topic/FFI-unwind%20design%20meeting/near/188941260" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> boats <a href="https://rust-lang.github.io/zulip_archive/stream/213817-t-lang/topic/FFI-unwind.20design.20meeting.html#188941260">(Feb 24 2020 at 16:26)</a>:</h4>
<p>Thanks for clarifying about what the UB comment was referring to.</p>



<a name="188941381"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/213817-t-lang/topic/FFI-unwind%20design%20meeting/near/188941381" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> boats <a href="https://rust-lang.github.io/zulip_archive/stream/213817-t-lang/topic/FFI-unwind.20design.20meeting.html#188941381">(Feb 24 2020 at 16:27)</a>:</h4>
<p>I agree with Kyle Strand about the comment on optimization level implying UB - that just implies that its implementation defined behavior. Not disputing anything else said.</p>



<a name="188941608"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/213817-t-lang/topic/FFI-unwind%20design%20meeting/near/188941608" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> boats <a href="https://rust-lang.github.io/zulip_archive/stream/213817-t-lang/topic/FFI-unwind.20design.20meeting.html#188941608">(Feb 24 2020 at 16:29)</a>:</h4>
<p>Ralf's comment raises the generally interesting note that thanks to Pin (specifically <code>pin_mut!</code>) we now have to uphold at the language level certain guarantees about destructors running for objects on the stack</p>



<a name="188942766"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/213817-t-lang/topic/FFI-unwind%20design%20meeting/near/188942766" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Amanieu <a href="https://rust-lang.github.io/zulip_archive/stream/213817-t-lang/topic/FFI-unwind.20design.20meeting.html#188942766">(Feb 24 2020 at 16:41)</a>:</h4>
<p>Our current consensus in the ffi-unwind group is that skipping destructors in any way is considered UB. This means that when using <code>longjmp</code> the user must ensure that they do not skip over frames with destructors.</p>



<a name="188946915"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/213817-t-lang/topic/FFI-unwind%20design%20meeting/near/188946915" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> nikomatsakis <a href="https://rust-lang.github.io/zulip_archive/stream/213817-t-lang/topic/FFI-unwind.20design.20meeting.html#188946915">(Feb 24 2020 at 17:27)</a>:</h4>
<p>I think it could be useful to clarify what "UB" refers to exactly -- I would say it is "Rust-level UB". In short, something that you must not do, because safe code (like rayon, etc) could be relying on destructors to run, and we wish to ensure that it is valid for unsafe code to do that. But <span class="user-mention" data-user-id="120791">@RalfJ</span> mentioned the term "unsound", I feel like perhaps there is a slight difference in how folks are using terminology here.</p>



<a name="188947219"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/213817-t-lang/topic/FFI-unwind%20design%20meeting/near/188947219" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Amanieu <a href="https://rust-lang.github.io/zulip_archive/stream/213817-t-lang/topic/FFI-unwind.20design.20meeting.html#188947219">(Feb 24 2020 at 17:30)</a>:</h4>
<p><span class="user-mention" data-user-id="116009">@nikomatsakis</span> There's also the fact that we emit <code>nounwind</code> attributes and LLVM says it's UB to unwind through those. I believe we should specify it as language-level UB, we can always relax it later if we want.</p>



<a name="188947287"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/213817-t-lang/topic/FFI-unwind%20design%20meeting/near/188947287" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> centril <a href="https://rust-lang.github.io/zulip_archive/stream/213817-t-lang/topic/FFI-unwind.20design.20meeting.html#188947287">(Feb 24 2020 at 17:31)</a>:</h4>
<p>I believe by "sound" we mean "for all inputs and machine states [derived from safe Rust], calling this [safe] function, or [safe] operations reachable from it, cannot cause an error condition in the Rust Abstract Machine (R-AM)"</p>



<a name="188947427"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/213817-t-lang/topic/FFI-unwind%20design%20meeting/near/188947427" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> centril <a href="https://rust-lang.github.io/zulip_archive/stream/213817-t-lang/topic/FFI-unwind.20design.20meeting.html#188947427">(Feb 24 2020 at 17:33)</a>:</h4>
<p>Probably throwing in "forall possible configurations of the abstract machine as allowed by unspecified behavior"</p>



<a name="188947525"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/213817-t-lang/topic/FFI-unwind%20design%20meeting/near/188947525" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> RalfJ <a href="https://rust-lang.github.io/zulip_archive/stream/213817-t-lang/topic/FFI-unwind.20design.20meeting.html#188947525">(Feb 24 2020 at 17:34)</a>:</h4>
<p><span class="user-mention silent" data-user-id="256759">boats</span> <a href="#narrow/stream/213817-t-lang/topic/FFI-unwind.20design.20meeting/near/188941608" title="#narrow/stream/213817-t-lang/topic/FFI-unwind.20design.20meeting/near/188941608">said</a>:</p>
<blockquote>
<p>Ralf's comment raises the generally interesting note that thanks to Pin (specifically <code>pin_mut!</code>) we now have to uphold at the language level certain guarantees about destructors running for objects on the stack</p>
</blockquote>
<p>note that this is not new with pinning</p>



<a name="188947535"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/213817-t-lang/topic/FFI-unwind%20design%20meeting/near/188947535" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> RalfJ <a href="https://rust-lang.github.io/zulip_archive/stream/213817-t-lang/topic/FFI-unwind.20design.20meeting.html#188947535">(Feb 24 2020 at 17:34)</a>:</h4>
<p><code>rayon::join</code> and other scoped thread impls already rely on destructors running for objects on the stack</p>



<a name="188947580"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/213817-t-lang/topic/FFI-unwind%20design%20meeting/near/188947580" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> RalfJ <a href="https://rust-lang.github.io/zulip_archive/stream/213817-t-lang/topic/FFI-unwind.20design.20meeting.html#188947580">(Feb 24 2020 at 17:35)</a>:</h4>
<p><span class="user-mention silent" data-user-id="116009">nikomatsakis</span> <a href="#narrow/stream/213817-t-lang/topic/FFI-unwind.20design.20meeting/near/188946915" title="#narrow/stream/213817-t-lang/topic/FFI-unwind.20design.20meeting/near/188946915">said</a>:</p>
<blockquote>
<p>I think it could be useful to clarify what "UB" refers to exactly -- I would say it is "Rust-level UB". In short, something that you must not do, because safe code (like rayon, etc) could be relying on destructors to run, and we wish to ensure that it is valid for unsafe code to do that. But <span class="user-mention silent" data-user-id="120791">RalfJ</span> mentioned the term "unsound", I feel like perhaps there is a slight difference in how folks are using terminology here.</p>
</blockquote>
<p>language-level UB is something that Miri would check for, something that is directly engraved in the definition of the Abstract Machine. I dont see any good reason to do that here.</p>



<a name="188947617"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/213817-t-lang/topic/FFI-unwind%20design%20meeting/near/188947617" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> RalfJ <a href="https://rust-lang.github.io/zulip_archive/stream/213817-t-lang/topic/FFI-unwind.20design.20meeting.html#188947617">(Feb 24 2020 at 17:36)</a>:</h4>
<p>maybe its "library-level UB", but then, unwinding and the stack are not a library. no idea what you mean by "Rust-level".</p>



<a name="188947721"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/213817-t-lang/topic/FFI-unwind%20design%20meeting/near/188947721" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> RalfJ <a href="https://rust-lang.github.io/zulip_archive/stream/213817-t-lang/topic/FFI-unwind.20design.20meeting.html#188947721">(Feb 24 2020 at 17:36)</a>:</h4>
<p>but also we are having two parallel discussions here -- one about <code>nouwnind</code> being UB, and one about popping stack frames without running destructors. those questions are not directly related, as far as I can see.</p>



<a name="188947741"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/213817-t-lang/topic/FFI-unwind%20design%20meeting/near/188947741" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> pnkfelix <a href="https://rust-lang.github.io/zulip_archive/stream/213817-t-lang/topic/FFI-unwind.20design.20meeting.html#188947741">(Feb 24 2020 at 17:37)</a>:</h4>
<p>there's probably some distinction to draw here, in terms of ensuring that this is stated as a Safety property rather than a Liveness property. I.e. something like "you cannot evaluate colder frames on the control stack without first evaluating destructors on the warmer frames." (cold/warm terminology is to avoid top-down/bottom-up stack presentation issues.)</p>



<a name="188947853"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/213817-t-lang/topic/FFI-unwind%20design%20meeting/near/188947853" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> RalfJ <a href="https://rust-lang.github.io/zulip_archive/stream/213817-t-lang/topic/FFI-unwind.20design.20meeting.html#188947853">(Feb 24 2020 at 17:38)</a>:</h4>
<p><span class="user-mention silent" data-user-id="126931">centril</span> <a href="#narrow/stream/213817-t-lang/topic/FFI-unwind.20design.20meeting/near/188947287" title="#narrow/stream/213817-t-lang/topic/FFI-unwind.20design.20meeting/near/188947287">said</a>:</p>
<blockquote>
<p>I believe by "sound" we mean "for all inputs and machine states [derived from safe Rust], calling this [safe] function, or [safe] operations reachable from it, cannot cause an error condition in the Rust Abstract Machine (R-AM)"</p>
</blockquote>
<p>yeah, we have <a href="https://rust-lang.github.io/unsafe-code-guidelines/glossary.html#soundness-of-code--of-a-library" target="_blank" title="https://rust-lang.github.io/unsafe-code-guidelines/glossary.html#soundness-of-code--of-a-library">defined something like this in the UCG</a></p>



<a name="188948105"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/213817-t-lang/topic/FFI-unwind%20design%20meeting/near/188948105" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> RalfJ <a href="https://rust-lang.github.io/zulip_archive/stream/213817-t-lang/topic/FFI-unwind.20design.20meeting.html#188948105">(Feb 24 2020 at 17:39)</a>:</h4>
<p>the "destructors of stack frame" case is one where conceivably there could be a variant of Rust (with the same compiler as "normal" Rust!) where not running them is safely possible, that just makes rayon and stack pinning and some other things unsound. it's a bit like mempocalypse -- two patterns that could be sound separately, but are not sound in combination.</p>



<a name="188948760"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/213817-t-lang/topic/FFI-unwind%20design%20meeting/near/188948760" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Amanieu <a href="https://rust-lang.github.io/zulip_archive/stream/213817-t-lang/topic/FFI-unwind.20design.20meeting.html#188948760">(Feb 24 2020 at 17:47)</a>:</h4>
<p>The main question that we are dealing with is actually "What happens if an FFI exception unwinds into Rust code". I don't think this is something that could be checked with Miri since it involves FFI.</p>



<a name="188948909"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/213817-t-lang/topic/FFI-unwind%20design%20meeting/near/188948909" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Amanieu <a href="https://rust-lang.github.io/zulip_archive/stream/213817-t-lang/topic/FFI-unwind.20design.20meeting.html#188948909">(Feb 24 2020 at 17:48)</a>:</h4>
<p>Also popping stack frames without running destructors is what happens if you unwind through <code>nounwind</code> since LLVM optimized your destructors away.</p>



<a name="189100576"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/213817-t-lang/topic/FFI-unwind%20design%20meeting/near/189100576" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> RalfJ <a href="https://rust-lang.github.io/zulip_archive/stream/213817-t-lang/topic/FFI-unwind.20design.20meeting.html#189100576">(Feb 26 2020 at 10:10)</a>:</h4>
<p><span class="user-mention silent" data-user-id="143274">Amanieu</span> <a href="#narrow/stream/213817-t-lang/topic/FFI-unwind.20design.20meeting/near/188948760" title="#narrow/stream/213817-t-lang/topic/FFI-unwind.20design.20meeting/near/188948760">said</a>:</p>
<blockquote>
<p>The main question that we are dealing with is actually "What happens if an FFI exception unwinds into Rust code". I don't think this is something that could be checked with Miri since it involves FFI.</p>
</blockquote>
<p><span class="user-mention" data-user-id="256759">@boats</span> specifically asked "why is unwinding through a frame without running destructors undefined behavior?", as far I was concerned that is the main question we have been talking about here</p>



<a name="189100631"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/213817-t-lang/topic/FFI-unwind%20design%20meeting/near/189100631" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> RalfJ <a href="https://rust-lang.github.io/zulip_archive/stream/213817-t-lang/topic/FFI-unwind.20design.20meeting.html#189100631">(Feb 26 2020 at 10:10)</a>:</h4>
<p>but there seemed to be a parallel discussion where some folks discussed a different question</p>



<a name="189102116"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/213817-t-lang/topic/FFI-unwind%20design%20meeting/near/189102116" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> RalfJ <a href="https://rust-lang.github.io/zulip_archive/stream/213817-t-lang/topic/FFI-unwind.20design.20meeting.html#189102116">(Feb 26 2020 at 10:31)</a>:</h4>
<p><span class="user-mention silent" data-user-id="143274">Amanieu</span> <a href="#narrow/stream/213817-t-lang/topic/FFI-unwind.20design.20meeting/near/188948909" title="#narrow/stream/213817-t-lang/topic/FFI-unwind.20design.20meeting/near/188948909">said</a>:</p>
<blockquote>
<p>Also popping stack frames without running destructors is what happens if you unwind through <code>nounwind</code> since LLVM optimized your destructors away.</p>
</blockquote>
<p>that's IMO not a great way to look at this -- it's like saying "dereferencing a NULL ptr triggers a segfault". indeed that will often happen, but not always -- what actually happens is we have UB. and then the way the binary accidentally happens to behave is that it skips destructors, but of course anything else might happen.</p>



<a name="189102200"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/213817-t-lang/topic/FFI-unwind%20design%20meeting/near/189102200" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> RalfJ <a href="https://rust-lang.github.io/zulip_archive/stream/213817-t-lang/topic/FFI-unwind.20design.20meeting.html#189102200">(Feb 26 2020 at 10:32)</a>:</h4>
<p>IOW, this is my usual statements that it is meaningless to look at the behavior of the compiled program unless we know there is no UB. <span class="user-mention" data-user-id="143274">@Amanieu</span> I keep giving responses like that to you, so I am wondering if you disagree with me about that view of UB?</p>



<a name="189102551"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/213817-t-lang/topic/FFI-unwind%20design%20meeting/near/189102551" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Amanieu <a href="https://rust-lang.github.io/zulip_archive/stream/213817-t-lang/topic/FFI-unwind.20design.20meeting.html#189102551">(Feb 26 2020 at 10:37)</a>:</h4>
<p>Sorry, I guess I worded this poorly. Let me try to rephrase: there are 2 ways that I know of which can (in compiled programs) result in unwinding a frame without running its destructors, and both are UB. The first is longjmp, which is specified (in C++) to be UB if jumping of frames with destructors. The other is the LLVM <code>nounwind</code> attribute which says that any unwinding through this frame is UB.</p>



<a name="189102583"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/213817-t-lang/topic/FFI-unwind%20design%20meeting/near/189102583" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Amanieu <a href="https://rust-lang.github.io/zulip_archive/stream/213817-t-lang/topic/FFI-unwind.20design.20meeting.html#189102583">(Feb 26 2020 at 10:37)</a>:</h4>
<p>So basically, there exists no well defined way of unwinding a frame without running its destructors.</p>



<a name="189102705"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/213817-t-lang/topic/FFI-unwind%20design%20meeting/near/189102705" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> RalfJ <a href="https://rust-lang.github.io/zulip_archive/stream/213817-t-lang/topic/FFI-unwind.20design.20meeting.html#189102705">(Feb 26 2020 at 10:39)</a>:</h4>
<p>I see, thanks.</p>



<a name="189102715"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/213817-t-lang/topic/FFI-unwind%20design%20meeting/near/189102715" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> RalfJ <a href="https://rust-lang.github.io/zulip_archive/stream/213817-t-lang/topic/FFI-unwind.20design.20meeting.html#189102715">(Feb 26 2020 at 10:39)</a>:</h4>
<p>I am not sure if "longjmp-across-frame-with-destructors is UB in C++" implies that it is UB in Rust -- in fact, I think that is part of the discussion</p>



<a name="189102730"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/213817-t-lang/topic/FFI-unwind%20design%20meeting/near/189102730" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> RalfJ <a href="https://rust-lang.github.io/zulip_archive/stream/213817-t-lang/topic/FFI-unwind.20design.20meeting.html#189102730">(Feb 26 2020 at 10:39)</a>:</h4>
<p>and also, there are other operations that do this, like <code>pthread_cancel</code></p>



<a name="189102845"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/213817-t-lang/topic/FFI-unwind%20design%20meeting/near/189102845" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> RalfJ <a href="https://rust-lang.github.io/zulip_archive/stream/213817-t-lang/topic/FFI-unwind.20design.20meeting.html#189102845">(Feb 26 2020 at 10:41)</a>:</h4>
<p><span class="user-mention silent" data-user-id="120791">RalfJ</span> <a href="#narrow/stream/213817-t-lang/topic/FFI-unwind.20design.20meeting/near/189102715" title="#narrow/stream/213817-t-lang/topic/FFI-unwind.20design.20meeting/near/189102715">said</a>:</p>
<blockquote>
<p>I am not sure if "longjmp-across-frame-with-destructors is UB in C++" implies that it is UB in Rust -- in fact, I think that is part of the discussion</p>
</blockquote>
<p>on this point, I wonder why it is UB, actually -- is that something compilers exploit for optimizations, or is it just that they didnt want to specify what happens? in the Abstract Machine, it doesnt seem too hard to say "it just removes the stack frame and its allocations, but doesnt run any destructors"</p>



<a name="189103023"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/213817-t-lang/topic/FFI-unwind%20design%20meeting/near/189103023" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Amanieu <a href="https://rust-lang.github.io/zulip_archive/stream/213817-t-lang/topic/FFI-unwind.20design.20meeting.html#189103023">(Feb 26 2020 at 10:43)</a>:</h4>
<p>Because longjmp may or may not run destructors, depending on the target, optimization level, etc.</p>



<a name="189103101"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/213817-t-lang/topic/FFI-unwind%20design%20meeting/near/189103101" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Amanieu <a href="https://rust-lang.github.io/zulip_archive/stream/213817-t-lang/topic/FFI-unwind.20design.20meeting.html#189103101">(Feb 26 2020 at 10:44)</a>:</h4>
<p>On windows it runs destructors, unless you use certain compiler options to say that <code>extern "C"</code> doesn't unwind, in which cases it optimizes the destructors away. On all other platforms longjmp doesn't run destructors.</p>



<a name="189103125"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/213817-t-lang/topic/FFI-unwind%20design%20meeting/near/189103125" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Amanieu <a href="https://rust-lang.github.io/zulip_archive/stream/213817-t-lang/topic/FFI-unwind.20design.20meeting.html#189103125">(Feb 26 2020 at 10:44)</a>:</h4>
<p>^ This applies to Rust as well, but only on windows-msvc, not windows-gnu.</p>



<a name="189103144"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/213817-t-lang/topic/FFI-unwind%20design%20meeting/near/189103144" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Amanieu <a href="https://rust-lang.github.io/zulip_archive/stream/213817-t-lang/topic/FFI-unwind.20design.20meeting.html#189103144">(Feb 26 2020 at 10:45)</a>:</h4>
<p>So basically it is a non-portable mess and the C++ guys just decided to make it UB.</p>



<a name="189103218"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/213817-t-lang/topic/FFI-unwind%20design%20meeting/near/189103218" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Amanieu <a href="https://rust-lang.github.io/zulip_archive/stream/213817-t-lang/topic/FFI-unwind.20design.20meeting.html#189103218">(Feb 26 2020 at 10:46)</a>:</h4>
<p><code>pthread_cancel</code> is a bit more magic: it tries to unwind at first, then if it finds a frame without unwind info it falls back to a longjmp.</p>



<a name="189151320"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/213817-t-lang/topic/FFI-unwind%20design%20meeting/near/189151320" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> RalfJ <a href="https://rust-lang.github.io/zulip_archive/stream/213817-t-lang/topic/FFI-unwind.20design.20meeting.html#189151320">(Feb 26 2020 at 19:45)</a>:</h4>
<p><span class="user-mention silent" data-user-id="143274">Amanieu</span> <a href="#narrow/stream/213817-t-lang/topic/FFI-unwind.20design.20meeting/near/189103144" title="#narrow/stream/213817-t-lang/topic/FFI-unwind.20design.20meeting/near/189103144">said</a>:</p>
<blockquote>
<p>So basically it is a non-portable mess and the C++ guys just decided to make it UB.</p>
</blockquote>
<p>Ah, Windows making things messy, what a surprise. ;) Makes sense though.</p>



<a name="189242874"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/213817-t-lang/topic/FFI-unwind%20design%20meeting/near/189242874" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> nikomatsakis <a href="https://rust-lang.github.io/zulip_archive/stream/213817-t-lang/topic/FFI-unwind.20design.20meeting.html#189242874">(Feb 27 2020 at 18:43)</a>:</h4>
<p>My main take here is that I think we do want to make a statement that things like rayon which rely on destructors executing are valid bits of unsafe code. The term "sound" doesn't quite cover this, as it pertains specifically to what <em>safe</em> code can do, but (as we stated) this is more a matter of "unsafe composability". I don't know the right way for us to talk about this, but at minimum I think we can agree that Rust would want to have some kind of "default set" of rules regarding what unsafe code can and cannot do, and those those rules would permit rayon (and hence exclude unwinding a frame without executing destructors). I do think it'd be useful to be precise about these sorts of assumptions (i.e., what are the things we assume unsafe code can and cannot do) so that at some later date we might find a way for unsafe code to declare this and to allow distinct, incompatible sets.</p>



<a name="189242908"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/213817-t-lang/topic/FFI-unwind%20design%20meeting/near/189242908" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> nikomatsakis <a href="https://rust-lang.github.io/zulip_archive/stream/213817-t-lang/topic/FFI-unwind.20design.20meeting.html#189242908">(Feb 27 2020 at 18:43)</a>:</h4>
<p>So I was using terminology like "it is UB" to indicate "unsafe code should not do this" -- but I'm happy to have a different way to say it, I do feel that term is quite overloaded</p>



<a name="189294879"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/213817-t-lang/topic/FFI-unwind%20design%20meeting/near/189294879" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> RalfJ <a href="https://rust-lang.github.io/zulip_archive/stream/213817-t-lang/topic/FFI-unwind.20design.20meeting.html#189294879">(Feb 28 2020 at 09:28)</a>:</h4>
<p>I personally feel like soundness is a pretty good way to express this -- indeed soundness is about safe code, but the entire composability story is about safe code! the hard part is making sure that any way safe code could compose things is fine.</p>



<a name="189294907"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/213817-t-lang/topic/FFI-unwind%20design%20meeting/near/189294907" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> RalfJ <a href="https://rust-lang.github.io/zulip_archive/stream/213817-t-lang/topic/FFI-unwind.20design.20meeting.html#189294907">(Feb 28 2020 at 09:29)</a>:</h4>
<p>unsafe code composing things is not  a useful thing to look at as that code can make mistake -- if there is UB then, was it the fault of the pieces or did unsafe code compose them wrong?<br>
but if its safe code doing the composition, then we know for sure it must be the fault of one of the pieces.</p>



<a name="189294997"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/213817-t-lang/topic/FFI-unwind%20design%20meeting/near/189294997" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> RalfJ <a href="https://rust-lang.github.io/zulip_archive/stream/213817-t-lang/topic/FFI-unwind.20design.20meeting.html#189294997">(Feb 28 2020 at 09:30)</a>:</h4>
<p>so I think what we should do is explicitly bless some of these unsafely-implemented-safely-exposed patterns as sound (that would in some sense, be a normative decision), and have examples for what this makes unsound (but that would just be useful notes, does not have to be normative)</p>



<a name="189511640"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/213817-t-lang/topic/FFI-unwind%20design%20meeting/near/189511640" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> BatmanAoD (Kyle Strand) <a href="https://rust-lang.github.io/zulip_archive/stream/213817-t-lang/topic/FFI-unwind.20design.20meeting.html#189511640">(Mar 02 2020 at 17:04)</a>:</h4>
<p><span class="user-mention" data-user-id="116009">@nikomatsakis</span> <span class="user-mention" data-user-id="126931">@centril</span> <span class="user-mention" data-user-id="239881">@Josh Triplett</span> <span class="user-mention" data-user-id="237472">@acfoltzer</span> Zoom? Amanieu and I are at <a href="https://mozilla.zoom.us/j/768231760" target="_blank" title="https://mozilla.zoom.us/j/768231760">https://mozilla.zoom.us/j/768231760</a></p>



<a name="189514832"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/213817-t-lang/topic/FFI-unwind%20design%20meeting/near/189514832" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Amanieu <a href="https://rust-lang.github.io/zulip_archive/stream/213817-t-lang/topic/FFI-unwind.20design.20meeting.html#189514832">(Mar 02 2020 at 17:33)</a>:</h4>
<p>ping <span class="user-mention" data-user-id="116009">@nikomatsakis</span> <span class="user-mention" data-user-id="126931">@centril</span> <span class="user-mention" data-user-id="239881">@Josh Triplett</span> <span class="user-mention" data-user-id="237472">@acfoltzer</span></p>



<a name="189514930"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/213817-t-lang/topic/FFI-unwind%20design%20meeting/near/189514930" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Amanieu <a href="https://rust-lang.github.io/zulip_archive/stream/213817-t-lang/topic/FFI-unwind.20design.20meeting.html#189514930">(Mar 02 2020 at 17:34)</a>:</h4>
<p>Meeting started 30 minutes ago (and for some reason has disappeared from the lang team calendar)</p>



<a name="189516913"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/213817-t-lang/topic/FFI-unwind%20design%20meeting/near/189516913" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> BatmanAoD (Kyle Strand) <a href="https://rust-lang.github.io/zulip_archive/stream/213817-t-lang/topic/FFI-unwind.20design.20meeting.html#189516913">(Mar 02 2020 at 17:54)</a>:</h4>
<p><a href="https://hackmd.io/@co99gvfFSISYrFm9r3Psgg/rykL_65EU" target="_blank" title="https://hackmd.io/@co99gvfFSISYrFm9r3Psgg/rykL_65EU">https://hackmd.io/@co99gvfFSISYrFm9r3Psgg/rykL_65EU</a></p>



<a name="189519820"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/213817-t-lang/topic/FFI-unwind%20design%20meeting/near/189519820" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> acfoltzer <a href="https://rust-lang.github.io/zulip_archive/stream/213817-t-lang/topic/FFI-unwind.20design.20meeting.html#189519820">(Mar 02 2020 at 18:22)</a>:</h4>
<p>hi, sorry about that. I never got a calendar invite so I was out running errands :(</p>



<a name="189519898"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/213817-t-lang/topic/FFI-unwind%20design%20meeting/near/189519898" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> acfoltzer <a href="https://rust-lang.github.io/zulip_archive/stream/213817-t-lang/topic/FFI-unwind.20design.20meeting.html#189519898">(Mar 02 2020 at 18:23)</a>:</h4>
<p>I assume I missed it all?</p>



<a name="189521865"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/213817-t-lang/topic/FFI-unwind%20design%20meeting/near/189521865" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Amanieu <a href="https://rust-lang.github.io/zulip_archive/stream/213817-t-lang/topic/FFI-unwind.20design.20meeting.html#189521865">(Mar 02 2020 at 18:42)</a>:</h4>
<p><span class="user-mention" data-user-id="237472">@acfoltzer</span> We're still in the meeting, join up.</p>



<a name="189522143"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/213817-t-lang/topic/FFI-unwind%20design%20meeting/near/189522143" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Amanieu <a href="https://rust-lang.github.io/zulip_archive/stream/213817-t-lang/topic/FFI-unwind.20design.20meeting.html#189522143">(Mar 02 2020 at 18:45)</a>:</h4>
<p>(Actually kyle had to leave to we just ended the meeting)</p>



<a name="189523190"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/213817-t-lang/topic/FFI-unwind%20design%20meeting/near/189523190" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> acfoltzer <a href="https://rust-lang.github.io/zulip_archive/stream/213817-t-lang/topic/FFI-unwind.20design.20meeting.html#189523190">(Mar 02 2020 at 18:55)</a>:</h4>
<p>Gah, sorry. Next time I'll preemptively block out the times I answer yes on the Doodle</p>



<a name="189523556"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/213817-t-lang/topic/FFI-unwind%20design%20meeting/near/189523556" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Amanieu <a href="https://rust-lang.github.io/zulip_archive/stream/213817-t-lang/topic/FFI-unwind.20design.20meeting.html#189523556">(Mar 02 2020 at 18:58)</a>:</h4>
<p>I'm not sure what happened. Only me and Kyle attended the meeting.</p>



<a name="189523598"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/213817-t-lang/topic/FFI-unwind%20design%20meeting/near/189523598" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Amanieu <a href="https://rust-lang.github.io/zulip_archive/stream/213817-t-lang/topic/FFI-unwind.20design.20meeting.html#189523598">(Mar 02 2020 at 18:58)</a>:</h4>
<p>There was an event for it on the lang team calendar, but it got removed before the meeting?</p>



<a name="189532516"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/213817-t-lang/topic/FFI-unwind%20design%20meeting/near/189532516" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> pnkfelix <a href="https://rust-lang.github.io/zulip_archive/stream/213817-t-lang/topic/FFI-unwind.20design.20meeting.html#189532516">(Mar 02 2020 at 20:25)</a>:</h4>
<p>I think <span class="user-mention" data-user-id="116009">@nikomatsakis</span>  has/had a event for this standing meeting , and removed it 5 hours ago or so because niko forgot that the previous ffi-unwind meeting had been postponed.</p>



<a name="189532647"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/213817-t-lang/topic/FFI-unwind%20design%20meeting/near/189532647" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> nikomatsakis <a href="https://rust-lang.github.io/zulip_archive/stream/213817-t-lang/topic/FFI-unwind.20design.20meeting.html#189532647">(Mar 02 2020 at 20:27)</a>:</h4>
<p>Hmm I didn't think we had selected a time for this meeting :)</p>



<a name="189532662"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/213817-t-lang/topic/FFI-unwind%20design%20meeting/near/189532662" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> nikomatsakis <a href="https://rust-lang.github.io/zulip_archive/stream/213817-t-lang/topic/FFI-unwind.20design.20meeting.html#189532662">(Mar 02 2020 at 20:27)</a>:</h4>
<p>I deleted the event for this week because lang team design meetings are usually chosen/announced with some notice</p>



<a name="189532676"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/213817-t-lang/topic/FFI-unwind%20design%20meeting/near/189532676" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> nikomatsakis <a href="https://rust-lang.github.io/zulip_archive/stream/213817-t-lang/topic/FFI-unwind.20design.20meeting.html#189532676">(Mar 02 2020 at 20:27)</a>:</h4>
<p>though I realize that I think we need to adopt the compiler-team like structure of an "off week"</p>



<a name="189532687"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/213817-t-lang/topic/FFI-unwind%20design%20meeting/near/189532687" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> nikomatsakis <a href="https://rust-lang.github.io/zulip_archive/stream/213817-t-lang/topic/FFI-unwind.20design.20meeting.html#189532687">(Mar 02 2020 at 20:27)</a>:</h4>
<p>because it's really hard to keep up the work needed to schedule things</p>



<a name="189532701"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/213817-t-lang/topic/FFI-unwind%20design%20meeting/near/189532701" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> nikomatsakis <a href="https://rust-lang.github.io/zulip_archive/stream/213817-t-lang/topic/FFI-unwind.20design.20meeting.html#189532701">(Mar 02 2020 at 20:27)</a>:</h4>
<p>but maybe I missed some messages or something, if so, sorry</p>



<a name="189532794"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/213817-t-lang/topic/FFI-unwind%20design%20meeting/near/189532794" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> pnkfelix <a href="https://rust-lang.github.io/zulip_archive/stream/213817-t-lang/topic/FFI-unwind.20design.20meeting.html#189532794">(Mar 02 2020 at 20:28)</a>:</h4>
<p>my inference from my email notices is that this meeting <em>was</em> originally scheduled for Feb 24th ?</p>



<a name="189532804"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/213817-t-lang/topic/FFI-unwind%20design%20meeting/near/189532804" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> pnkfelix <a href="https://rust-lang.github.io/zulip_archive/stream/213817-t-lang/topic/FFI-unwind.20design.20meeting.html#189532804">(Mar 02 2020 at 20:28)</a>:</h4>
<p>and then that was cancelled (for whatever reason)</p>



<a name="189532846"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/213817-t-lang/topic/FFI-unwind%20design%20meeting/near/189532846" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> pnkfelix <a href="https://rust-lang.github.io/zulip_archive/stream/213817-t-lang/topic/FFI-unwind.20design.20meeting.html#189532846">(Mar 02 2020 at 20:29)</a>:</h4>
<p>and I'm guessing that the people present inferred that it was impliclty rescheduled to this week? THough I don't quite see how that inference actually works out, since in the general case this slot would be filled...</p>



<a name="189532875"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/213817-t-lang/topic/FFI-unwind%20design%20meeting/near/189532875" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> pnkfelix <a href="https://rust-lang.github.io/zulip_archive/stream/213817-t-lang/topic/FFI-unwind.20design.20meeting.html#189532875">(Mar 02 2020 at 20:29)</a>:</h4>
<p>so, yeah,  I was wrong to say "niko forgot ..."</p>



<a name="189532937"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/213817-t-lang/topic/FFI-unwind%20design%20meeting/near/189532937" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> pnkfelix <a href="https://rust-lang.github.io/zulip_archive/stream/213817-t-lang/topic/FFI-unwind.20design.20meeting.html#189532937">(Mar 02 2020 at 20:30)</a>:</h4>
<p>(unless there was indeed some explicit rescheduling that I overlooked.)</p>



<a name="189533024"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/213817-t-lang/topic/FFI-unwind%20design%20meeting/near/189533024" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Amanieu <a href="https://rust-lang.github.io/zulip_archive/stream/213817-t-lang/topic/FFI-unwind.20design.20meeting.html#189533024">(Mar 02 2020 at 20:31)</a>:</h4>
<p>We did announce the date of the meeting in the blog post.</p>



<a name="189533280"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/213817-t-lang/topic/FFI-unwind%20design%20meeting/near/189533280" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> pnkfelix <a href="https://rust-lang.github.io/zulip_archive/stream/213817-t-lang/topic/FFI-unwind.20design.20meeting.html#189533280">(Mar 02 2020 at 20:34)</a>:</h4>
<p>okay yes, I can see that was a result of the <a href="#narrow/stream/210922-project-ffi-unwind/topic/Blog.20post/near/189141256" title="#narrow/stream/210922-project-ffi-unwind/topic/Blog.20post/near/189141256">conversation over here</a></p>



<a name="189534305"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/213817-t-lang/topic/FFI-unwind%20design%20meeting/near/189534305" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> nikomatsakis <a href="https://rust-lang.github.io/zulip_archive/stream/213817-t-lang/topic/FFI-unwind.20design.20meeting.html#189534305">(Mar 02 2020 at 20:45)</a>:</h4>
<p>this seems like a clear indication that we need a centralized process to schedule lang team meetings =)</p>



<a name="189534446"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/213817-t-lang/topic/FFI-unwind%20design%20meeting/near/189534446" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> nikomatsakis <a href="https://rust-lang.github.io/zulip_archive/stream/213817-t-lang/topic/FFI-unwind.20design.20meeting.html#189534446">(Mar 02 2020 at 20:46)</a>:</h4>
<p>e.g., I haven't caught up on that conversation yet</p>



<a name="190724945"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/213817-t-lang/topic/FFI-unwind%20design%20meeting/near/190724945" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> nikomatsakis <a href="https://rust-lang.github.io/zulip_archive/stream/213817-t-lang/topic/FFI-unwind.20design.20meeting.html#190724945">(Mar 16 2020 at 13:57)</a>:</h4>
<p>Hey all, we have the FFI-unwind design meeting today in ~2 hours -- I'm not sure yet if I will make it. I'm feeling kind of under the weather today. I'm going to rest up a bit more in any case.</p>



<a name="190742733"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/213817-t-lang/topic/FFI-unwind%20design%20meeting/near/190742733" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> nikomatsakis <a href="https://rust-lang.github.io/zulip_archive/stream/213817-t-lang/topic/FFI-unwind.20design.20meeting.html#190742733">(Mar 16 2020 at 15:59)</a>:</h4>
<p>Hey <span class="user-group-mention" data-user-group-id="1977">@T-lang</span> -- Been resting and I think I'm feeling better -- I'll be there but prob 5 minutes late.</p>



<a name="190743060"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/213817-t-lang/topic/FFI-unwind%20design%20meeting/near/190743060" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> centril <a href="https://rust-lang.github.io/zulip_archive/stream/213817-t-lang/topic/FFI-unwind.20design.20meeting.html#190743060">(Mar 16 2020 at 16:02)</a>:</h4>
<p><a href="https://blog.rust-lang.org/inside-rust/2020/02/27/ffi-unwind-design-meeting.html" target="_blank" title="https://blog.rust-lang.org/inside-rust/2020/02/27/ffi-unwind-design-meeting.html">https://blog.rust-lang.org/inside-rust/2020/02/27/ffi-unwind-design-meeting.html</a></p>



<a name="190743360"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/213817-t-lang/topic/FFI-unwind%20design%20meeting/near/190743360" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Amanieu <a href="https://rust-lang.github.io/zulip_archive/stream/213817-t-lang/topic/FFI-unwind.20design.20meeting.html#190743360">(Mar 16 2020 at 16:04)</a>:</h4>
<p><a href="https://hackmd.io/rG_5ksyCTuKsjks5cHONZQ" target="_blank" title="https://hackmd.io/rG_5ksyCTuKsjks5cHONZQ">https://hackmd.io/rG_5ksyCTuKsjks5cHONZQ</a></p>



<a name="190744376"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/213817-t-lang/topic/FFI-unwind%20design%20meeting/near/190744376" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> nikomatsakis <a href="https://rust-lang.github.io/zulip_archive/stream/213817-t-lang/topic/FFI-unwind.20design.20meeting.html#190744376">(Mar 16 2020 at 16:12)</a>:</h4>
<p><a href="https://paper.dropbox.com/doc/ffi-unwind-design-meeting--AwTXTaBKAfAeJSG9IMPu0AawAg-Utb2e8ehhS42CYfDSj9h4" target="_blank" title="https://paper.dropbox.com/doc/ffi-unwind-design-meeting--AwTXTaBKAfAeJSG9IMPu0AawAg-Utb2e8ehhS42CYfDSj9h4">https://paper.dropbox.com/doc/ffi-unwind-design-meeting--AwTXTaBKAfAeJSG9IMPu0AawAg-Utb2e8ehhS42CYfDSj9h4</a></p>



<a name="190747637"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/213817-t-lang/topic/FFI-unwind%20design%20meeting/near/190747637" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> BatmanAoD (Kyle Strand) <a href="https://rust-lang.github.io/zulip_archive/stream/213817-t-lang/topic/FFI-unwind.20design.20meeting.html#190747637">(Mar 16 2020 at 16:35)</a>:</h4>
<p>Sorry my attention's so divided; I've got a couple things going on here</p>



<a name="190748259"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/213817-t-lang/topic/FFI-unwind%20design%20meeting/near/190748259" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Amanieu <a href="https://rust-lang.github.io/zulip_archive/stream/213817-t-lang/topic/FFI-unwind.20design.20meeting.html#190748259">(Mar 16 2020 at 16:40)</a>:</h4>
<p><a href="https://paper.dropbox.com/doc/ffi-unwind-2020-01-13--AwQLyPBsf9hfZRTS4tbXcI0MAg-agituL322N0qRsCbcnn7D" target="_blank" title="https://paper.dropbox.com/doc/ffi-unwind-2020-01-13--AwQLyPBsf9hfZRTS4tbXcI0MAg-agituL322N0qRsCbcnn7D">https://paper.dropbox.com/doc/ffi-unwind-2020-01-13--AwQLyPBsf9hfZRTS4tbXcI0MAg-agituL322N0qRsCbcnn7D</a></p>



<a name="190752405"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/213817-t-lang/topic/FFI-unwind%20design%20meeting/near/190752405" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> BatmanAoD (Kyle Strand) <a href="https://rust-lang.github.io/zulip_archive/stream/213817-t-lang/topic/FFI-unwind.20design.20meeting.html#190752405">(Mar 16 2020 at 17:09)</a>:</h4>
<p>Here are some relevant issues (there are probably more):</p>
<p><a href="https://github.com/rust-lang/rust/issues/52652" target="_blank" title="https://github.com/rust-lang/rust/issues/52652">https://github.com/rust-lang/rust/issues/52652</a></p>
<p><a href="https://github.com/rust-lang/rust/issues/47932" target="_blank" title="https://github.com/rust-lang/rust/issues/47932">https://github.com/rust-lang/rust/issues/47932</a></p>
<p>It is probably better to just open a new one as a "top level" FFI unwind tracker.</p>



<a name="190753221"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/213817-t-lang/topic/FFI-unwind%20design%20meeting/near/190753221" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> centril <a href="https://rust-lang.github.io/zulip_archive/stream/213817-t-lang/topic/FFI-unwind.20design.20meeting.html#190753221">(Mar 16 2020 at 17:15)</a>:</h4>
<p>(let's not do a straw poll on a GH issue though <span aria-label="slight smile" class="emoji emoji-1f642" role="img" title="slight smile">:slight_smile:</span> )</p>



<a name="190754693"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/213817-t-lang/topic/FFI-unwind%20design%20meeting/near/190754693" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> BatmanAoD (Kyle Strand) <a href="https://rust-lang.github.io/zulip_archive/stream/213817-t-lang/topic/FFI-unwind.20design.20meeting.html#190754693">(Mar 16 2020 at 17:25)</a>:</h4>
<p>"rocket ship if you like proposal 2, confused face if you like proposal 3" &lt; this was a joke!</p>



<a name="190754863"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/213817-t-lang/topic/FFI-unwind%20design%20meeting/near/190754863" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> BatmanAoD (Kyle Strand) <a href="https://rust-lang.github.io/zulip_archive/stream/213817-t-lang/topic/FFI-unwind.20design.20meeting.html#190754863">(Mar 16 2020 at 17:26)</a>:</h4>
<p>IIRC the governance wg had a Loomio instance set up, didn't they? I haven't used it; does it provide polls?</p>



<a name="190755151"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/213817-t-lang/topic/FFI-unwind%20design%20meeting/near/190755151" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> centril <a href="https://rust-lang.github.io/zulip_archive/stream/213817-t-lang/topic/FFI-unwind.20design.20meeting.html#190755151">(Mar 16 2020 at 17:28)</a>:</h4>
<p>/me is generally not a fan of conducting design decisions by polls <span aria-label="slight smile" class="emoji emoji-1f642" role="img" title="slight smile">:slight_smile:</span></p>



<a name="190756627"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/213817-t-lang/topic/FFI-unwind%20design%20meeting/near/190756627" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Amanieu <a href="https://rust-lang.github.io/zulip_archive/stream/213817-t-lang/topic/FFI-unwind.20design.20meeting.html#190756627">(Mar 16 2020 at 17:38)</a>:</h4>
<p>We've been stuck on this issue for a month with no progress. Both proposals have advantages and downsides, there's no clear winner. We have to make a decision somehow.</p>



<a name="190759016"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/213817-t-lang/topic/FFI-unwind%20design%20meeting/near/190759016" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> BatmanAoD (Kyle Strand) <a href="https://rust-lang.github.io/zulip_archive/stream/213817-t-lang/topic/FFI-unwind.20design.20meeting.html#190759016">(Mar 16 2020 at 17:57)</a>:</h4>
<p>I don't think the poll should be binding. I think it may be helpful to see which way, generally, people lean.</p>



<a name="190786367"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/213817-t-lang/topic/FFI-unwind%20design%20meeting/near/190786367" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> centril <a href="https://rust-lang.github.io/zulip_archive/stream/213817-t-lang/topic/FFI-unwind.20design.20meeting.html#190786367">(Mar 16 2020 at 22:10)</a>:</h4>
<p>How people lean is heavily dependent on who shows up to these sorts of polls; and at any rate, "we have to make a decision somehow" doesn't mean it's done by poll, but the lang team has to reach consensus somehow, yes.</p>



<a name="190787012"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/213817-t-lang/topic/FFI-unwind%20design%20meeting/near/190787012" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> centril <a href="https://rust-lang.github.io/zulip_archive/stream/213817-t-lang/topic/FFI-unwind.20design.20meeting.html#190787012">(Mar 16 2020 at 22:17)</a>:</h4>
<p>As for what proposal to go with, from my perspective, 1/2 are highly preferable as:</p>
<ul>
<li>It means we have more latitude to change the panic implementation for Rust as we would have to add shims for fewer functions, which is a key reason why unwinding to FFI was UB in the first place.</li>
<li>It seems quite problematic that <code>-C panic=abort</code> can make programs suddenly have UB.</li>
<li>Reasoning about higher order functions via function pointers is no longer possible.</li>
<li>It is a smaller change from the status quo.</li>
</ul>



<a name="190799964"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/213817-t-lang/topic/FFI-unwind%20design%20meeting/near/190799964" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> BatmanAoD (Kyle Strand) <a href="https://rust-lang.github.io/zulip_archive/stream/213817-t-lang/topic/FFI-unwind.20design.20meeting.html#190799964">(Mar 17 2020 at 01:27)</a>:</h4>
<p>I'm not sure it's a smaller change. Introducing a new semantic element to the language is a fairly large change.</p>



<a name="190800025"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/213817-t-lang/topic/FFI-unwind%20design%20meeting/near/190800025" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> BatmanAoD (Kyle Strand) <a href="https://rust-lang.github.io/zulip_archive/stream/213817-t-lang/topic/FFI-unwind.20design.20meeting.html#190800025">(Mar 17 2020 at 01:28)</a>:</h4>
<p>The function pointer concern can, of course, be addressed eventually, though not immediately, with function pointer annotations + a <code>nounwind</code> annotation</p>



<a name="190800147"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/213817-t-lang/topic/FFI-unwind%20design%20meeting/near/190800147" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> BatmanAoD (Kyle Strand) <a href="https://rust-lang.github.io/zulip_archive/stream/213817-t-lang/topic/FFI-unwind.20design.20meeting.html#190800147">(Mar 17 2020 at 01:30)</a>:</h4>
<p>For proposal 2, it's still the case that UB can be introduced by adopting <code>panic=abort</code>.</p>



<a name="190800346"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/213817-t-lang/topic/FFI-unwind%20design%20meeting/near/190800346" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> BatmanAoD (Kyle Strand) <a href="https://rust-lang.github.io/zulip_archive/stream/213817-t-lang/topic/FFI-unwind.20design.20meeting.html#190800346">(Mar 17 2020 at 01:35)</a>:</h4>
<p>I think I agree with the point about it being easier to change the mechanism in the future, but I'm not sure. Certainly I don't think proposal 3 would make it infeasible to make such a switch.</p>



<a name="190800445"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/213817-t-lang/topic/FFI-unwind%20design%20meeting/near/190800445" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> centril <a href="https://rust-lang.github.io/zulip_archive/stream/213817-t-lang/topic/FFI-unwind.20design.20meeting.html#190800445">(Mar 17 2020 at 01:37)</a>:</h4>
<p>It's a smaller change to <em>how people write code today;</em> certainly <code>"C nounwind"</code> as a new ABI is a larger change to the spec, but that's something else entirely. (Although since this is a modification of an existing ABI, it doesn't imply that much additional spec complexity really.) However, recovering the function pointer thing makes changed defaults into something <em>more</em> complicated, as we now have to route the annotations to the type system, rather than use the existing ABI syntax which the type system and the rest already work with. As for being able to introduce UB via <code>panic=abort</code>, that seems like a discussion re. 1 vs. 2, but the cases are fewer (I assume you refer to "Forced unwind with destructors" with Proposal 2, "C unwind" boundary, panic=abort  ==&gt; UB)</p>



<a name="190801089"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/213817-t-lang/topic/FFI-unwind%20design%20meeting/near/190801089" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> BatmanAoD (Kyle Strand) <a href="https://rust-lang.github.io/zulip_archive/stream/213817-t-lang/topic/FFI-unwind.20design.20meeting.html#190801089">(Mar 17 2020 at 01:50)</a>:</h4>
<p>I still don't follow: making the existing ABI spec "just work" certainly seems to me to be the smaller change to "how people write code".</p>



<a name="190801263"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/213817-t-lang/topic/FFI-unwind%20design%20meeting/near/190801263" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> centril <a href="https://rust-lang.github.io/zulip_archive/stream/213817-t-lang/topic/FFI-unwind.20design.20meeting.html#190801263">(Mar 17 2020 at 01:54)</a>:</h4>
<p>It invalidates less of people's existing knowledge; what you knew about <code>extern "C"</code> remains true, and there's this new thing <code>extern "C unwind"</code>. Making the existing ABI spec "just work" would suggest that "how people write code" today is to write code with lots of UB.</p>



<a name="190806946"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/213817-t-lang/topic/FFI-unwind%20design%20meeting/near/190806946" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Josh Triplett <a href="https://rust-lang.github.io/zulip_archive/stream/213817-t-lang/topic/FFI-unwind.20design.20meeting.html#190806946">(Mar 17 2020 at 04:15)</a>:</h4>
<p>You're assuming people start out with detailed knowledge of the semantics of Rust, as opposed to a working knowledge of what produces working code in practice.</p>



<a name="190810421"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/213817-t-lang/topic/FFI-unwind%20design%20meeting/near/190810421" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> centril <a href="https://rust-lang.github.io/zulip_archive/stream/213817-t-lang/topic/FFI-unwind.20design.20meeting.html#190810421">(Mar 17 2020 at 05:50)</a>:</h4>
<p>Not really. Working with unsafe code and FFI certainly requires some knowledge, but it's not very detailed. One merely has to consult <a href="https://doc.rust-lang.org/nightly/nomicon/ffi.html#ffi-and-panics" target="_blank" title="https://doc.rust-lang.org/nightly/nomicon/ffi.html#ffi-and-panics">https://doc.rust-lang.org/nightly/nomicon/ffi.html#ffi-and-panics</a> to find out that its UB to find out that panicing across FFI boundaries is UB. I think that's a reasonable amount of required reading. Also, given that we have emitted nounwind since "always", it seems strange to say that this is "working code in practice" (and there's not a lot of evidence to suggest that people did accidentally cause UB).</p>



<a name="190810484"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/213817-t-lang/topic/FFI-unwind%20design%20meeting/near/190810484" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Josh Triplett <a href="https://rust-lang.github.io/zulip_archive/stream/213817-t-lang/topic/FFI-unwind.20design.20meeting.html#190810484">(Mar 17 2020 at 05:52)</a>:</h4>
<p>When code works, people don't necessarily consult the spec to find out if it's supposed to work.</p>



<a name="190810488"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/213817-t-lang/topic/FFI-unwind%20design%20meeting/near/190810488" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> centril <a href="https://rust-lang.github.io/zulip_archive/stream/213817-t-lang/topic/FFI-unwind.20design.20meeting.html#190810488">(Mar 17 2020 at 05:52)</a>:</h4>
<p>Also, it's not really "just work"; perhaps when you write it, but then later you want to use <code>panic=abort</code>, and then it doesn't work; that's not particularly helpful towards maintainable software</p>



<a name="190810499"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/213817-t-lang/topic/FFI-unwind%20design%20meeting/near/190810499" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Josh Triplett <a href="https://rust-lang.github.io/zulip_archive/stream/213817-t-lang/topic/FFI-unwind.20design.20meeting.html#190810499">(Mar 17 2020 at 05:53)</a>:</h4>
<p>The status quo is "it works". There's value in not breaking that status quo.</p>



<a name="190810549"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/213817-t-lang/topic/FFI-unwind%20design%20meeting/near/190810549" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Josh Triplett <a href="https://rust-lang.github.io/zulip_archive/stream/213817-t-lang/topic/FFI-unwind.20design.20meeting.html#190810549">(Mar 17 2020 at 05:54)</a>:</h4>
<p>(Also, we've had this conversation before, and repeating it seems unlikely to be productive. Suffice it to say that I value existing code even if it contains spec-UB.)</p>



<a name="190810570"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/213817-t-lang/topic/FFI-unwind%20design%20meeting/near/190810570" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> centril <a href="https://rust-lang.github.io/zulip_archive/stream/213817-t-lang/topic/FFI-unwind.20design.20meeting.html#190810570">(Mar 17 2020 at 05:55)</a>:</h4>
<p>Writing unsafe code with "when code works" in mind is going to become a problem fast -- it's not a good idea to reason about Rust via e.g. what the generated assembly is</p>



<a name="190894936"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/213817-t-lang/topic/FFI-unwind%20design%20meeting/near/190894936" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> BatmanAoD (Kyle Strand) <a href="https://rust-lang.github.io/zulip_archive/stream/213817-t-lang/topic/FFI-unwind.20design.20meeting.html#190894936">(Mar 17 2020 at 18:54)</a>:</h4>
<p><span class="user-mention silent" data-user-id="126931">centril</span> <a href="#narrow/stream/213817-t-lang/topic/FFI-unwind.20design.20meeting/near/190810421" title="#narrow/stream/213817-t-lang/topic/FFI-unwind.20design.20meeting/near/190810421">said</a>:</p>
<blockquote>
<p>Also, given that we have emitted nounwind since "always", it seems strange to say that this is "working code in practice" (and there's not a lot of evidence to suggest that people did accidentally cause UB).</p>
</blockquote>
<p>This feels like a return to the conversations we've had in the past about what the actual use cases "in the wild" are. I may be misremembering, but I thought we had _not_ always emitted <code>nounwind</code>. Also, we have discussed serveral examples of projects using cross-language unwinding, which is in fact accidental UB.</p>



<a name="190895004"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/213817-t-lang/topic/FFI-unwind%20design%20meeting/near/190895004" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> BatmanAoD (Kyle Strand) <a href="https://rust-lang.github.io/zulip_archive/stream/213817-t-lang/topic/FFI-unwind.20design.20meeting.html#190895004">(Mar 17 2020 at 18:54)</a>:</h4>
<p>...well, I suppose "accidental" may not be accurate, except in the case of mozjpeg, where it does appear that the author expected unwinding to be well-behaved.</p>



<a name="190965995"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/213817-t-lang/topic/FFI-unwind%20design%20meeting/near/190965995" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> centril <a href="https://rust-lang.github.io/zulip_archive/stream/213817-t-lang/topic/FFI-unwind.20design.20meeting.html#190965995">(Mar 18 2020 at 11:14)</a>:</h4>
<p><span class="user-mention" data-user-id="120076">@BatmanAoD (Kyle Strand)</span>  There are <em>a few</em> examples of accidental UB, and there are <em>a few</em> cases of intentionally ignoring UB. <em>A few</em> cases is not a statistically significant "this would do widespread ecosystem damage".<br>
As for whether we've really always emitted nounwind, we have done so for a long time, which makes the difference moot for me.</p>



<a name="191013415"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/213817-t-lang/topic/FFI-unwind%20design%20meeting/near/191013415" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Amanieu <a href="https://rust-lang.github.io/zulip_archive/stream/213817-t-lang/topic/FFI-unwind.20design.20meeting.html#191013415">(Mar 18 2020 at 17:21)</a>:</h4>
<p>I'm happy with either proposal, but have a very slight preference for proposal 2.</p>



<hr><p>Last updated: Aug 07 2021 at 22:04 UTC</p>
</html>